AppSec California 2015

Why won't your company's management just "do the right thing" with security? How can you get necessary changes made when the answer always seems to be "no"? In this turbo talk, learn quick tips and tricks for hacking organizational decision making structures, using empathy to communicate more effectively, and improving tactical execution of your change plan.

MDM can be great way to put security controls on smart phones, but what happens when an attacker brings your device into their MDM domain. From smartphone manufacturers to cell phone service providers, everyone seems to be developing a solution for managing smart phones. We will be covering the basics of how MDM works and how you can abuse the Apple MDM service to gain control over iOS devices. This attack will demo how to deploy malicious MDM configurations and how to abuse company phones to gain access to a company's internal domain. Additionally, we will be covering the steps you should take to protect your business from malicious MDM profiles.

Eli Goldratt asks us to always keep in mind, "What's the Goal?" If our goal is to help the business succeed, how can I make the biggest impact using web application security with the least effort? This turbo talk will reveal extra powerful, very low cost, and extremely under utilized HTTP headers to help the business win.

Joint work with Zhiwei Li, Warren He, Dawn Song

We conduct a security analysis of five popular web-based password managers. Unlike "local" password managers, web-based password managers run in the browser. We identify four key security concerns for web-based password managers and, for each, identify representative vulnerabilities through our case studies. Our attacks are severe: in four out of the five password managers we studied, an attacker can learn a user's credentials for arbitrary websites. We find vulnerabilities in diverse features like one-time passwords, bookmarklets, and shared passwords. The root-causes of the vulnerabilities are also diverse: ranging from logic and authorization mistakes to misunderstandings about the web security model, in addition to the typical vulnerabilities like CSRF and XSS. Our study suggests that it remains to be a challenge for the password managers to be secure. To guide future development of password managers, we provide guidance for password managers. Given the diversity of vulnerabilities we identified, we advocate a defense-in-depth approach to ensure security of password managers.